Check Point VPN Flaw Exploited: PoC and Details Released
▼ Summary
– WatchTowr researchers disclosed a technical analysis and detection tool for CVE-2026-50751, an authentication bypass in Check Point’s Remote Access VPN and Mobile Access that is actively exploited.
– Check Point patched the flaw on June 8, 2026, after in-the-wild exploitation began in early May, targeting a few dozen organizations, with one incident linked to a Qilin ransomware affiliate.
– The flaw allows unauthenticated attackers to manipulate authentication flags via a custom Vendor ID payload during IKEv1 negotiation, bypassing certificate-based authentication to log in as a Remote Access user.
– The authentication bypass works over TCP 443 if UDP access is blocked, and affects Certificate, Certificate with enrollment, and Mixed user-authentication methods, but not the Legacy username/password method.
– Check Point recommends applying hotfixes for this flaw and a related certificate-validation issue (CVE-2026-50752), or disabling legacy IKEv1/Remote Access client support and enforcing mandatory machine-certificate authentication if patching is not possible.
WatchTowr researchers have published a technical deep dive and a Detection Artefact Generator for CVE-2026-50751, a critical authentication bypass vulnerability in Check Point’s Remote Access VPN and Mobile Access solutions. The vendor has confirmed the flaw is being actively exploited in the wild.
Though the initial attacks were contained to a small number of targets, the release of this technical information and proof-of-concept code is likely to trigger a broader wave of opportunistic exploitation.
The vulnerability, patched by Check Point on June 8, 2026, has been under active exploitation since early May. The vendor reported that roughly a few dozen organizations were hit before the patch was made available, with at least one incident tied to a Qilin ransomware affiliate.
WatchTowr Labs researcher McCaulay Hudson released a detailed technical analysis today, explaining how the vulnerable code enables a connecting client to manipulate authentication flags through a custom Vendor ID payload during IKEv1 negotiation. He demonstrated that this can be escalated into a full authentication bypass.
Hudson also built and published a proof-of-concept IKEv1 client that completes phase-1 negotiation using a random signature. This allows remote, unauthenticated attackers to log in as any provisioned Remote Access user without needing a valid certificate, private key, or password.
According to the PoC’s README, a Check Point Security Gateway with both the Remote Access VPN and Mobile Access blades is vulnerable when configured for the legacy IKEv1 path and when connections from legacy Remote Access clients are permitted. As the vendor previously noted, a third prerequisite for a successful attack is that the gateway does not require a machine certificate to establish connections.
Hudson clarified that the certificate-authentication bypass works against the Certificate, Certificate with enrollment, and Mixed user-authentication methods. The plain Legacy method, which relies on a username and password, remains unaffected. He also noted that the authentication bypass functions over TCP 443 if UDP access is blocked or filtered.
Check Point has released indicators of compromise tied to the initial attacks, enabling defenders to check whether their gateways have been targeted. The company urges customers to apply the hotfixes that patch both CVE-2026-50751 and a related certificate-validation flaw (CVE-2026-50752).
Organizations running affected Check Point Security Gateways and Spark Firewall products that have not yet applied the hotfix for CVE-2026-50751 should do so immediately. If patching is not possible right away or at all, particularly on unsupported versions, administrators should consider disabling legacy IKEv1 and Remote Access client support and enforcing mandatory machine-certificate authentication.
(Source: Help Net Security)
